Remote working adds to IT compliance risks, but doesn’t remove the need to assess compliance. How are remote compliance assessments carried out and how can you prepare for them?

In this podcast, we look at how remote compliance assessments work with Mathieu Gorge, CEO of Vigitrust.

The upsurge of remote working during the coronavirus pandemic adds to the risks to IT and data compliance, but it doesn’t remove the likelihood of being assessed for compliance to various legal and regulatory frameworks.

We talk about how remote compliance assessments are carried out when assessors cannot be on-site and what organisations can do to be best prepared for them.

Mathieu Gorge: Part of the reason we need remote compliance assessments is that in the current climate and as more and more people are working from home, assessors may not be in a position to go on-site and perform assessments that they would otherwise have completed at the company premises.

What that means is that interviews and observing what’s being done on-site can be done remotely, at least for the time being.

So, a number of assessors are putting out guidelines for their clients about what assessments can be done remotely and what cannot be done remotely.

And it is clear that if you look at any type of security framework – whether it’s PCI, ISO or NIST or any of the mainstream regulations and frameworks – there is an element of physical security in there and if you can’t be on-site, you need an option to remotely see what’s going on on-site.

What that means is that someone from the organisation might need to be on-site and they’ll need to use some technology that allows the assessor to remotely be there with them and see video evidence of what’s happening within the physical premises.

The evidence is not limited to video or audio. It is also providing copies of policies and procedures, copies of mapping of the ecosystem and also anything that has to do with data flow. And that’s not necessarily new with remote assessments, but it’s an emphasis that assessors are putting on at the moment.

So, the risks of not being able to test mean that you will fall out of compliance. The assessor, or the authority that is checking you are in compliance, might give you an extension but, at the end of the day, you still need to remain compliant.

Assessors will ask you to demonstrate and validate that the evidence you’re providing is adequate for full assessment.

Adshead: How are remote compliance assessments carried out?

Gorge: I think it’s really a question of preparedness. The more prepared you are, the easier it will be to make your remote security assessment a successful one, so you need to be ready and you need to anticipate the assessor’s needs.

The assessor will want to be able to have secure access to network diagrams, ecosystem diagrams, data flow diagrams. Also make sure that the right people are available at the right time. In normal times, when we’re in a building, it’s easy to go up to someone in a different office and wheel them into the assessment. In a remote assessment situation, you can’t do that, so you need to have people ready on standby who can join in the call.

It’s also interesting that there’s a debate right now as to whether the interviews and the discussions between the assessor and the company being assessed should be recorded, purely from a GDPR [General Data Protection Regulation] perspective, that is throwing up a number of challenges. But also the assessor might say: “Actually, I am supposed to record everything that you’re saying. Normally I would be typing it or recording it through another system, but right now we need to do that remotely, so we need to use a system that allows you to do that securely.”

Finally, what we would recommend you to do is use a collaborative risk management solution that allows you, in real time, to share information in a secure environment, and that includes maybe the ability to get access to systems, to do data sampling and that really should be limited to the data that’s in scope. One of the pitfalls of remote assessment is to open up the enterprise too widely.

What I mean by that is that you need to limit the remote access to what’s in scope. So, if you’re doing a PCI-DSS assessment, it’s the credit card holder data. If you’re looking at alignment with FDA or NHS regulation, it’s really protected health information.

So, it’s a balance between providing enough access so the assessor can be satisfied they’ve done the right sampling and that the evidence is OK, but not opening your systems too widely, which is something it’s easier to control when it’s on-site and not as easy when it’s done remotely.

So, in summary, it’s really being prepared and anticipating the needs of the assessor for them to validate that you’re in compliance.

Backup still fundamental but the cloud changes things

We round up the key ways backup has changed since tape was king and look at developments such as backup appliances, the use of the cloud as a backup target and even the need for backups to protect your workloads in the cloud.

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.